<!DOCTYPE html>
<meta charset=utf-8>
<title>Inherit sandbox from CSP embedded enforcement</title>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="/common/get-host-info.sub.js"></script>
<body>
<script>
// Check sandbox flags are properly defined when its parent requires them and
// the child allows it.

const same_origin = get_host_info().HTTP_ORIGIN;
const cross_origin = get_host_info().HTTP_REMOTE_ORIGIN;
const check_sandbox_url =
  "/html/browsers/sandboxing/resources/check-sandbox-flags.html?pipe=";
const allow_csp_from_star = "|header(Allow-CSP-From,*)";

// Return a promise, resolving when |element| triggers |event_name| event.
const future = (element, event_name, source) => {
  return new Promise(resolve => {
    element.addEventListener(event_name, event => {
      if (!source || source.contentWindow == event.source)
        resolve(event)
    })
  });
};

const check_sandbox_script = `
<script>
  try {
    document.domain = document.domain;
    parent.postMessage("document-domain-is-allowed", "*");
  } catch (exception) {
    parent.postMessage("document-domain-is-disallowed", "*");
  }
</scr`+`ipt>
`;

const sandbox_policy = "sandbox allow-scripts allow-same-origin";

// Test using the modern async/await primitives are easier to read/write.
// However they run sequentially, contrary to async_test. This is the parallel
// version, to avoid timing out.
let promise_test_parallel = (promise, description) => {
  async_test(test => {
    promise(test)
    .then(() => {test.done();})
    .catch(test.step_func(error => { throw error; }));
  }, description);
};

promise_test_parallel(async test => {
  const iframe = document.createElement("iframe");
  iframe.csp = sandbox_policy;

  // The <iframe> immediately hosts the initial empty document after being
  // appended into the DOM. It will, as long as its 'src' isn't loaded. That's
  // why a page do not load is being used.
  iframe.src = "/fetch/api/resources/infinite-slow-response.py";
  document.body.appendChild(iframe);

  const iframe_reply = future(window, "message", iframe);
  iframe.contentDocument.write(check_sandbox_script);
  const result = await iframe_reply;
  iframe.remove();

  assert_equals(result.data, "document-domain-is-disallowed");
}, "initial empty document");

promise_test_parallel(async test => {
  const iframe = document.createElement("iframe");
  iframe.src = "data:text/html,dummy";

  const iframe_load_1 = future(iframe, "load");
  document.body.appendChild(iframe);
  await iframe_load_1;

  const iframe_load_2 = future(iframe, "load");
  iframe.csp = sandbox_policy;
  iframe.src = "about:blank";
  await iframe_load_2;

  const iframe_reply = future(window, "message", iframe);
  iframe.contentDocument.write(check_sandbox_script);
  const result = await iframe_reply;

  assert_equals(result.data, "document-domain-is-disallowed");
}, "about:blank");

promise_test_parallel(async test => {
  const iframe = document.createElement("iframe");
  iframe.csp = sandbox_policy;
  iframe.src =
    `data:text/html,${encodeURI(check_sandbox_script)}`;

  const iframe_reply = future(window, "message", iframe);
  document.body.appendChild(iframe);
  const result = await iframe_reply;

  assert_equals(result.data, "document-domain-is-disallowed");
}, "data-url");

promise_test_parallel(async test => {
  const iframe = document.createElement("iframe");
  iframe.csp = sandbox_policy;
  iframe.srcdoc = check_sandbox_script;

  const iframe_reply = future(window, "message", iframe);
  document.body.appendChild(iframe);
  const result = await iframe_reply;

  assert_equals(result.data, "document-domain-is-disallowed");
}, "srcdoc");

promise_test_parallel(async test => {
  const iframe = document.createElement("iframe");
  iframe.csp = sandbox_policy;

  const blob = new Blob([check_sandbox_script], { type: "text/html" });

  iframe.src = URL.createObjectURL(blob);

  const iframe_reply = future(window, "message", iframe);
  document.body.appendChild(iframe);
  const result = await iframe_reply;

  assert_equals(result.data, "document-domain-is-disallowed");
}, "blob URL");

promise_test_parallel(async test => {
  const iframe = document.createElement("iframe");
  iframe.csp = sandbox_policy;
  iframe.src = same_origin + check_sandbox_url + allow_csp_from_star;

  const iframe_reply = future(window, "message", iframe);
  document.body.appendChild(iframe);
  const result = await iframe_reply;

  assert_equals(result.data, "document-domain-is-disallowed");
}, "same-origin");

promise_test_parallel(async test => {
  const iframe = document.createElement("iframe");
  iframe.csp = sandbox_policy;
  iframe.src = cross_origin + check_sandbox_url + allow_csp_from_star;

  const iframe_reply = future(window, "message", iframe);
  document.body.appendChild(iframe);
  const result = await iframe_reply;

  assert_equals(result.data, "document-domain-is-disallowed");
}, "cross-origin");

</script>
